A new investigation by GreyNoise reveals a massive wave of over 90,000 attacks targeting AI tools like Ollama and OpenAI. Experts warn that hackers are conducting "reconnaissance" to map out vulnerabilities in enterprise AI systems.

In a recent discovery, researchers have found that cybercriminals are turning their focus toward the systems that power modern artificial intelligence (AI). Between October 2025 and January 2026, a specialized honeypot (a trap set by security experts to catch hackers) recorded 91,403 attack sessions.

This investigation was conducted by the research firm GreyNoise, which set up fake installations of a popular AI tool called Ollama to act as bait. The research reveals that there isn’t just one group at work, but two separate campaigns are active, each trying to find a different way to exploit the growing world of AI.

****The Phone Home Trick****

The first group of attackers used a method known as Server-Side Request Forgery (SSRF). To put it simply, this is a trick where a hacker fools a company’s server into making a connection to the hacker’s own computer. Researchers noted that the attackers specifically targeted Ollama and Twilio (a popular messaging service).

By sending a “malicious registry URL,” they could force the AI server to “phone home” to their own systems. It is worth noting that this activity saw a “dramatic spike over Christmas,” with 1,688 sessions occurring in just 48 hours, according to GreyNoise’s blog post. While some of these might be security researchers or bug bounty hunters looking for rewards, the timing suggests they were pushing boundaries while IT teams were on holiday.

Campaign 1 timeline (Source: GreyNoise)

****Building a Hit List for AI Models****

The second campaign is even more concerning. Starting on December 28, 2025, two specific digital addresses (45.88.186.70 and 204.76.203.125) began a massive, methodical search of over 73 different AI endpoints. While investigating, researchers found that in just eleven days, they generated 80,469 sessions to see which AI models they could reach.

According to researchers, these were professional actors, perhaps conducting reconnaissance since they weren’t trying to break things yet. Also, they noted the actors were “building target lists” by testing models from big names like Anthropic (Claude), Meta (Llama), xAI (Grok), and DeepSeek.

> _“The attack tested both OpenAI-compatible API formats and Google Gemini formats. Every major model family appeared in the probe list: OpenAI (GPT-4o and variants), Anthropic (Claude Sonnet, Opus, Haiku), Meta (Llama 3.x), DeepSeek (DeepSeek-R1), Google (Gemini), Mistral, Alibaba (Qwen), and xAI (Grok).”_
> 
> GreyNoise

Further probing revealed that these attackers used simple, innocent questions like “How many states are there in the United States?” just to see which models would respond.

Campaign 2 test queries (source: GreyNoise)

****How to Protect Your Systems****

To keep these systems secure, researchers at GreyNoise suggest that companies should only allow AI models to be downloaded from trusted sources. It is also important to watch out for rapid-fire requests that ask the same simple questions over and over. The scale of these attacks is massive, involving 62 source IPs across 27 countries, which is a clear sign that hackers are now mapping out their next big move.

****Expert Warnings on AI Risks****

Security teams are viewing these findings as an early warning of a much broader risk. Chris Hughes, VP of Security Strategy at Zenity, shared his perspective exclusively with Hackread.com, noting that while probing models is a concern, the immediate danger lies in how AI agents interact with company systems.

“While this marks the first public confirmation of attackers targeting AI systems, it certainly won’t be the last,” Hughes stated. He explained that the information gained from these probes will likely be used for future attacks. He warned that the greater risk appears when AI tools access enterprise systems or cloud environments without proper oversight.

“As attackers move from probing models to exploiting agents, organizations that focus only on model-centric security will be responding to incidents they never saw coming,” he added.

(Photo by Egor Komarov on Unsplash)

Hackers Launch Over 91,000 Attacks on AI Systems Using Fake Ollama Servers

In today’s digital age, video content has become an essential tool for communication, education, and entertainment. Whether it’s…

In today’s digital age, video content has become an essential tool for communication, education, and entertainment. Whether it’s a tutorial, a conference, or a webinar, videos are an excellent medium for conveying information.

However, sometimes it’s more efficient to have the content in text form, whether for reference, analysis, or accessibility purposes. One of the best solutions for this is to convert video to text.

****What Does It Mean to Convert Video to Text?****

To convert video to text means transcribing the spoken words from the video into written form. This process involves listening to the video’s audio and manually or automatically writing down everything said. By doing so, you create a text version of the video content, making it easier to search, analyze, or refer back to specific points without having to rewatch the video.

****Why Convert Video to Text?****

One of the main reasons to convert video to text is to make the content more accessible. Videos, while rich in information, can be difficult to follow for people with hearing impairments. By having a transcript, you ensure that everyone can access the content in a way that suits their needs.

****Content Analysis****

Having a text version of a video allows for easier content analysis. Whether it’s extracting key points, summarizing the content, or pulling quotes, text offers a more flexible and detailed approach than video.

****Methods for Converting Video to Text****

There are several methods available for converting video to text, each with its own set of benefits and drawbacks.

****1: Manual Transcription****

Manual transcription involves watching the video and typing out what is being said. This method can be very accurate, but it can also be time-consuming, especially for longer videos. It requires a lot of attention to detail and patience, but it guarantees high-quality results.

****2: Automated Transcription Tools****

Automated transcription tools use artificial intelligence to analyze the audio in a video and generate a text version. While these tools are fast and efficient, they may not be as accurate as manual transcription. They can struggle with accents, background noise, and overlapping speech, but they are still useful for quick transcriptions.

****3: Hybrid Approach****

A hybrid approach combines both manual and automated transcription. In this method, an automated tool is first used to generate a rough transcript, which is then reviewed and corrected by a human. This method strikes a balance between speed and accuracy.

****Benefits of Converting Video to Text********Improved Accessibility and Compliance****

Text transcripts make video content usable for people with hearing impairments and for users who cannot play audio in certain environments. Transcripts also help organizations meet accessibility guidelines and internal compliance requirements.

****Better Search and Discoverability****

Text can be indexed and searched easily. Converting video to text allows search engines to understand the content of a video, which improves visibility and makes it easier for users to find specific topics or phrases without watching the full video.

****Time Efficiency and Quick Reference****

Reading is often faster than watching. A text version allows users to scan, locate key points, and return to important sections instantly. This is especially useful for long lectures, meetings, and training videos.

****Content Repurposing Opportunities****

Once video content is in text form, it can be reused in many ways. Transcripts can become blog posts, articles, documentation, captions, summaries, or internal knowledge base entries. This extends the value of a single video across multiple formats.

****Easy Sharing and Distribution****

Text is lightweight and flexible. Transcripts can be shared through email, messaging platforms, reports, or social media without large file sizes or playback limitations. This makes information easier to distribute to broader audiences.

****Conclusion****

Converting video to text transforms video content into a more accessible, searchable, and reusable format. Beyond convenience, it improves efficiency, expands reach, and increases the long term value of video assets. By adding accurate transcripts, video content becomes easier to use, easier to share, and more useful for a wider range of audiences.

(Photo by Kelly Sikkema on Unsplash)

Convert Video to Text: A Comprehensive Guide

Explore how cybercrime markets turn stolen data into laundered funds using dollar‑pegged assets, mixers and exchanges-and why tracking BTC USDT price and stablecoin flows now matters for security, fraud and AML teams.

A corporate customer database is breached on a quiet Sunday night. Millions of credentials and card numbers are quietly exfiltrated, sorted, and listed on a well‑known fraud shop on a cybercrime forum. Over the next few days, small crews buy slices of that data and start testing logins, draining loyalty points, taking over e‑commerce accounts, and running carding scripts against online merchants.

The successful hits are funnelled into mule accounts and digital wallets. From there, the proceeds converge. Balances spread across multiple services are swept into a single exchange and converted into liquid, dollar‑pegged assets for rapid movement across chains and borders.

That final conversion step often routes through major trading pairs like BTC USDT, making real-time price data a useful signal for analysts tracking large, possibly illicit, fund flows. A reliable BTC USDT price view offers immediate insight into where capital is concentrating across exchanges.

****Why This Matters for Security, Fraud, and Compliance Teams****

For many organisations, finance app security and breach handling still live in separate silos from Anti-Money Laundering (AML) and sanctions controls. Traditional data breach playbooks focus on containment, forensics, and notification.

Separately, compliance teams watch fiat rails and customer behaviour for money‑laundering red flags. Stablecoin‑enabled laundering sits directly between those worlds. It turns stolen data into on‑chain flows that are neither purely “cyber” nor purely “financial” in the old sense.

****Data Breach Economics and Cybercrime Markets********From Breach to Inventory: How Stolen Data Becomes a Product****

Once attackers gain access to an email environment, data warehouse, or payment system, the breach is only the beginning. Large dumps are pulled out, decrypted where necessary, and triaged.

High‑value elements such as logins, full identity records, card numbers, and session tokens are carved into distinct products: credential lists, so‑called “fullz,” card dumps, and access kits for specific services. These bundles are then listed on underground markets and private channels that specialise in stolen credentials and tools.

****The Role of Markets, Brokers, and “Crime as a Service”****

Cybercrime markets now resemble fragmented financial ecosystems. Initial access brokers specialise in compromised VPNs, RDP endpoints, and email accounts. Data sellers focus on curated lists of stolen credentials or identity packages.

Carders exploit payment systems, while cash‑out crews and money mules move funds through bank accounts, wallets, and merchant accounts. At the far end sit crypto specialists who understand exchanges, mixers, and DeFi, and who turn messy revenues into cleaner balances.

****Why Dollar‑Pegged Assets Appeal to Cybercrime Markets********Dollar Exposure Without Bank Accounts****

Stablecoins offer something very simple that cybercrime markets value: exposure to the US dollar without needing a conventional bank account. Many actors operate from jurisdictions where access to US banking is restricted by geography, sanctions, or risk profile. Others can technically open accounts but fear the traceability, documentation, and closure risk that comes with repeated suspicious activity. Dollar‑pegged assets bridge that gap.

****Liquidity, Speed, and Compliance Arbitrage****

There is also a very practical side to this preference. Stablecoins move quickly between exchanges, DeFi protocols, and over‑the‑counter brokers, often with less operational friction than international bank wires. Cross‑border movement that might take days in the banking system can settle in minutes or seconds on‑chain. For cybercrime markets dealing with volatile enforcement risk and fast‑moving partners, speed matters.

Different venues also apply very different KYC and AML standards. Some offshore exchanges and services have historically offered weak controls or none at all. Others are tightly regulated.

Launderers exploit this diversity by starting on lightly regulated platforms, performing multiple hops, and then approaching more reputable venues only after they believe the trail is sufficiently muddled. Issuers and regulated platforms are increasingly aggressive about freezing tainted funds, particularly when they can link flows to sanctions evasion or high‑profile ransomware.

****Laundering Pipelines: From Compromised Data to Stablecoins********Path 1 – Direct Crypto Extortion and Ransom in Dollar‑Pegged Assets****

In some incidents, breach operators bypass the whole resale and carding ecosystem and go straight to extortion. Double‑extortion and data‑leak crews encrypt systems, exfiltrate sensitive files, and threaten to publish them unless a ransom is paid.

While bitcoin once dominated these demands, there has been a noticeable shift toward liquid stablecoins as the preferred payment method. Dollar‑pegged assets let operators lock in their revenue without worrying about price swings between the demand and the actual payment.

Recent industry analysis shows that total ransomware payments dropped markedly in 2024, falling from well over a billion dollars the year before to the mid‑hundred‑million range, even as the number of incidents remained high. Still, where payments occur, crypto is prominent. 

****Path 2 – Carding, Account Takeover, and Cash‑Out to Stablecoins****

A more traditional path starts with carding and account takeover. Stolen card data and logins from a data breach are used to make fraudulent purchases, initiate withdrawals from online wallets, or order goods that can be resold. Money mules receive and forward funds, sometimes without fully understanding the origin. At each step, banks and payment processors may detect and stop some activity, but not all.

Where transactions succeed, balances accumulate in scattered accounts and merchant profiles. These pockets of value then need to be consolidated. Criminals often turn to exchanges or peer‑to‑peer trading platforms, converting local currency or intermediary assets into stablecoins.

Each platform in this chain has its own AML rules and fraud controls, which can block individual attempts. Yet the overarching goal remains the same: convert messy, risky funds into a single, portable, dollar‑linked asset that can move freely through the crypto ecosystem.

****Path 3 – Insider Abuse and Compromised Corporate Crypto Infrastructure****

In some breaches, the target already holds digital assets. That may be a centralised exchange, a fintech with internal treasury wallets, or a corporation running crypto‑based loyalty and payment programs. In these cases, attackers or corrupt insiders may not bother with traditional carding at all. Instead, they aim directly at hot wallets, signing keys, or internal transfer systems.

Composite case studies show how diverse on‑chain assets are often rapidly swept into a smaller set of liquid stablecoins. Tokens with limited liquidity or thin markets are sold or swapped, consolidating value into one or two major dollar‑pegged assets. Only then does the layering phase begin in earnest, hopping across services and chains.

****On‑Chain Infrastructure: Mixers, DeFi, Bridges, and OTC Brokers********Mixers, Peel Chains, and DeFi‑Based Obfuscation****

Once funds sit in stablecoins, launderers turn to on‑chain infrastructure designed or repurposed to break obvious links between source and destination. Classic mixers and tumblers pool deposits from many users and then redistribute them, attempting to sever direct address‑to‑address trails. Peel chains send small amounts through long sequences of wallets, “peeling” off fragments at each step. Both techniques can be, and often are, applied to dollar‑pegged assets.

DeFi adds another layer. Stable‑swap protocols and lending platforms allow large volumes of stablecoins to move in patterns that look, at least superficially, like normal liquidity provision, arbitrage, or yield‑seeking. Tainted stablecoins can be cycled through pools, borrowed against, or mixed with clean liquidity, generating a noisy transaction history.

****Cross‑Chain Bridges, OTC Desks, and P2P Off‑Ramps****

Launderers rarely stay on a single chain. Cross‑chain bridges are used to move stablecoins between networks with different user bases and compliance postures. Sometimes this is straightforward, moving from a more monitored chain to one with weaker oversight. At other times, lesser‑known networks are used as intermediate waypoints, adding hops and complexity to tracing efforts.

Eventually, most routes approach fiat. Lightly regulated OTC brokers and peer‑to‑peer exchanges play a major role here. Stablecoins are swapped for local currency transfers, cash, or high‑value goods, often via intermediaries who specialise in “no‑questions‑asked” exits.

****Case Patterns and Enforcement Disruptions********What Recent Crackdowns Reveal About Stablecoin Laundering****

Joint operations over the last few years against darknet operators, non‑compliant exchanges, and rogue payment processors have provided a clearer window into stablecoin laundering. When infrastructure is seized, and transaction records are analysed, a familiar picture emerges: fraud shops and ransomware services settling with each other in dollar‑pegged assets, routing funds through a relatively small set of services and addresses. In some operations, authorities reported that revenues at key fraud markets dropped by around half after associated financial rails were disrupted.

These takedowns do more than remove specific nodes from the ecosystem. They also surface detailed transaction graphs and operational playbooks, which investigators and analytics companies fold back into their models.

****Adaptation: How Cybercrime Markets Respond to Pressure****

Predictably, cybercrime markets adapt when pressure mounts. As stablecoin issuers and regulated platforms freeze known illicit addresses and respond more aggressively to sanctions violations, launderers experiment. They rotate between multiple dollar‑pegged assets, use niche tokens as temporary parking spots, and design multi‑hop paths that cross several chains and jurisdictions before reaching an off‑ramp. Sanctions evasion in particular has driven some of the most complex layering patterns seen to date.

****Detection Strategies for Compliance, Fraud, and Security Teams********Turning Laundering Flows into Actionable Typologies****

Narrative descriptions of how money moves are helpful, but investigators and monitoring systems need concrete rules. Experts work with clients to convert stablecoin laundering flows into AML typologies and alert logic.

Examples include clusters of small exchange deposits from known carding geographies that rapidly consolidate into a single stablecoin wallet; abrupt, high‑value transfers to newly created addresses shortly after a disclosed breach; and repeated use of certain cross‑chain bridges and DeFi pools in close sequence following fraud events.

These typologies are then tied to specific thresholds, suppression logic, and investigative playbooks. An alert for “post‑breach stablecoin consolidation” may trigger checks against internal incident timelines, external breach reports, and known cybercrime clusters.

Another typology might focus on stablecoin‑denominated settlements with services historically associated with fraud shops. By aligning typologies with the actual economics of data breach proceeds and cybercrime markets, institutions can raise meaningful suspicious activity reports while keeping false positives manageable.

****Linking Breach Telemetry with On‑Chain Signals****

One of the most powerful and still underused techniques is fusing breach telemetry with on‑chain intelligence. Indicators from an intrusion, such as C2 domains, wallet addresses found in ransom notes, or exfiltration timestamps, often have echoes in blockchain data. Correlating those signals can transform a breach investigation from a purely internal exercise into a broader follow‑the‑money operation.

****Hardening On‑/Off‑Ramps and Partner Controls********Strengthening Stablecoin Controls at Exchanges and Fintechs****

Exchanges, brokerages, and fintech platforms that support stablecoins sit at crucial points in the laundering chain. By tuning KYC and transaction‑monitoring controls specifically for dollar‑pegged flows, these institutions can dramatically reduce their attractiveness to cybercrime markets. Practical measures include differentiated onboarding tiers, enhanced due diligence for customers or regions associated with high breach and fraud activity, and dynamic limits on stablecoin movements that adjust with behavioural risk.

****Managing Third‑Party and Infrastructure Risk****

No institution operates alone in this space. Stablecoin issuers, custodians, payment processors, analytics providers, bridge operators, and OTC partners all influence how easy or hard it is for cybercrime markets to use dollar‑pegged assets.

Evaluating these partners’ risk postures, how they handle KYC, how quickly they respond to law enforcement, and whether they freeze tainted funds is a key part of managing stablecoin exposure.

****Conclusion: Using Stablecoin Insight to Strengthen Breach Response and AML********From Static Breach Playbooks to Dynamic Financial‑Crime Defences****

The journey from a breached database to laundered funds rarely stops at cash or bitcoin anymore. In case after case, data breach proceeds move through cybercrime markets, into dollar‑pegged assets, and across a complex web of mixers, DeFi protocols, bridges, and off‑ramps. Understanding those stablecoin‑centric pipelines is no longer a niche concern for “the crypto team”; it is a core part of modern financial‑crime strategy.

Institutions that integrate on‑chain intelligence into both breach response and AML gain a real advantage. They can spot when data theft begins turning into money laundering, recognise familiar laundering architectures, and coordinate faster with partners and authorities. Rather than cleaning up after each incident in isolation, they build a dynamic defence informed by how cybercrime markets actually operate today.

(Photo by Kanchanara on Unsplash)

How Cybercrime Markets Launder Breach Proceeds and What Security Teams Miss

Telegram will add a warning for proxy links after reports showed they can expose user IP addresses with a single click, bypassing VPN or privacy settings.

Security experts have discovered an issue in Telegram where clicking a disguised username link can instantly reveal your real IP address. Even if you use a proxy or VPN, this ‘one-click’ leak bypasses your settings. Learn how this affects Android and iOS users and what you can do to stay safe.

A new security discovery is causing chaos among Telegram’s 1 billion monthly users. It turns out that a simple click on a colleague’s or friend’s username might be doing more than just opening a chat; it could be handing over your real-world location data to a stranger.

This issue was first brought to light by a researcher known as @0x6rss on X.com and later confirmed by security expert Saurabh on LinkedIn. As per their investigation, the glitch is surprisingly easy to pull off, affecting both Android and iPhone users alike.

> ONE-CLICK TELEGRAM IP ADDRESS LEAK!
> 
> In this issue, the secret key is irrelevant. Just like NTLM hash leaks on Windows, Telegram automatically attempts to test the proxy. Here, the secret key does not matter and the IP address is exposed.  
> Example of a link hidden behind a… https://t.co/KTABAiuGYI pic.twitter.com/NJLOD6aQiJ
> 
> — 0x6rss (@0x6rss) January 10, 2026

****The Hidden Trap in Your DMs****

Many of us use Telegram because it feels safer than other apps. The platform even includes a built-in tool called MTProxy, which is meant to help people in countries with heavy censorship bypass blocks and hide their internet traffic. However, the research group GangExposed RU found that hackers can disguise a special link, known as a “tg://proxy” link, to look exactly like a normal Telegram username (e.g., @durov).

> ⚠️Telegram 1-click vulnerability
> 
> A single click can reveal your real IP address — even if you use a proxy.
> 
> Affects both Android and iOS Telegram clients. 👇 pic.twitter.com/Nz8vjnb8KP
> 
> — GangExposed RU (@GangExposed\_RU) January 10, 2026

Here is the catch: when you click that name, Telegram automatically pings a server to check if it’s working. This check happens using your phone’s direct internet connection, completely ignoring any privacy settings or VPNs you have turned on. In an instant, the person on the other side can see your real IP address, which reveals your city, service provider, and general location.

****Why This is Catching People Off Guard****

The secret keys usually required for secure connections are totally irrelevant here because the mere act of clicking is the trigger. Some experts have compared this to a famous security flaw in Windows, where a computer accidentally gives away information just by trying to connect to a network.

Because these links look like regular internal parts of the app, they don’t set off any red flags. A user might think they are just looking at a profile, but they are actually sending their digital home address to a server controlled by an attacker.

****Telegram’s Response****

Telegram has since clarified that while they believe this is how internet links naturally work, they are going to add a warning pop-up. This way, if you click a disguised link, you’ll get a heads-up before your info is shared.

> _“Any website or proxy owner can see the IPs of those who access it regardless of platform. This is no more relevant to Telegram than WhatsApp or any other web service. Still, we’re adding a warning that will show when clicking proxy links so users can be aware of disguised links.”_
> 
> Telegram

> Any website or proxy owner can see the IPs of those who access it regardless of platform. This is no more relevant to Telegram than WhatsApp or any other web service. Still, we're adding a warning that will show when clicking proxy links so users can be aware of disguised links.
> 
> — Telegram Messenger (@telegram) January 12, 2026

Until that update rolls out, it’s best to be cautious. Avoid clicking on usernames from people you don’t know in large public groups. If you want to be extra safe, you can use a separate VPN app on your phone rather than relying on the one built into Telegram, as this covers all your phone’s outgoing pings.

Telegram to Add Warning for Proxy Links After IP Leak Concerns

Flowable has launched version 2025.2 of its enterprise work orchestration platform, adding support for governed multi-agent AI, impact…

Flowable has launched version 2025.2 of its enterprise work orchestration platform, adding support for governed multi-agent AI, impact analysis, and runtime visibility as organizations look to scale AI automation without increasing compliance risk.

As AI integrations spread across enterprise workflows, organizations face mounting pressure to balance speed with governance. Fragmented tools, disconnected agents, and unclear dependencies create compliance gaps and delay effective digital modernisation. Flowable 2025.2 responds to these pressures by strengthening enterprise AI governance across the full automation lifecycle, from design and deployment through runtime execution and audit.

****Enterprise Context and Governance Challenges****

Flowable describes this challenge as a “complexity vortex,” driven by fragmented systems, risky automation, and brittle processes that slow change. While AI can accelerate individual tasks, it introduces risk when decisions occur outside standardized processes. As a result, policy updates are delayed, audit findings take longer to resolve, and teams hesitate to modify systems that appear stable but carry hidden dependencies.

These constraints limit innovation and keep AI initiatives confined to pilots rather than production use. Governance gaps often appear at handoffs between teams, across shared services, and during audits. Unclear ownership, control, and visibility of AI, rules, and automated decisions make accountability difficult, especially when AI agents act across multiple systems.

Release 2025.2 addresses these challenges by strengthening regulated workflow automation through orchestration, governance, and visibility. This approach reduces operational uncertainty and allows enterprises to adapt processes and policies while maintaining compliance.

****Multi-agent Orchestration and Architectural Flexibility****

Flowable 2025.2 strengthens support for multi-agent orchestration through compatibility with the A2A specification. This enables enterprises to coordinate AI agents from different vendors and frameworks under a single governed layer, without rebuilding their architecture as AI ecosystems evolve.

This approach mitigates vendor lock-in and improves interoperability across AI frameworks. Organizations can add, replace, or scale AI capabilities incrementally while maintaining consistent governance, security, and compliance controls. Agents from multiple ecosystems can collaborate while remaining accountable within enterprise processes.

****AI-assisted Design and Safer Change Management****

A central focus of Flowable 2025.2 is improving how organizations manage change in complex automation environments. The release expands AI-assisted capabilities across automation processes, cases, decisions, forms, service, and agent models, supporting a low-code AI design approach. Integrated AI assistance helps teams identify model dependencies before changes are made, reducing the risk of unintended downstream effects.

This approach supports safer modernization by helping automation teams address compliance requirements and business changes without extended testing cycles or late-stage release delays.

For regulated teams, this design-time clarity helps reduce dependency on a small number of senior specialists. It allows broader groups of developers and process owners to participate in change with greater confidence.

****Impact Analysis Before Deployment****

The release also introduces enhanced AI impact analysis capabilities that allow teams to assess potential consequences before changes reach production. Flowable pinpoints where rules, variables, and services intersect across workflows, giving teams early visibility into what could fail before changes are made. Teams can query where a variable appears or what breaks if a rule changes.

These insights support explainable decisions before updates reach production. Improved visibility leads to more predictable releases and reduces the likelihood of risky changes late in the development cycle. For regulated organizations, the ability to evaluate impact upfront plays a critical role in maintaining audit readiness while accelerating delivery.

****Visibility, Compliance, and Human Oversight****

Governance and transparency remain key priorities in Flowable 2025.2. The release improves visibility into AI behavior through timelines of agent requests, responses, and tool usage. Cost transparency improves through token usage and invocation tracking, while audit trails document how AI-driven decisions align with organizational policies.

This visibility supports internal audits, regulatory reviews, and post-incident analysis with a consistent record of automated decision-making. Teams gain clearer insight into AI behavior across agents, tools, and workflows without relying on manual reconstruction after issues arise.

The platform also reinforces human-in-the-loop AI patterns. New features allow frontline teams to request AI assistance during workflows while keeping control over final decisions. Caseworkers, underwriters, and service teams can request summaries or recommendations while retaining control of final decisions and maintaining full auditability.

_“When working with long documents such as medical reports or legal filings, teams often lose valuable time,”_ said Flowable CTO, Micha Kiener. _“Flowable 2025.2 helps surface relevant information directly within workflows, while ensuring that human judgment and auditability remain central to every decision.”_

Flowable 2025.2 improves operational stability by separating AI tasks from core transaction processing. This reduces the risk that long-running AI calls delay databases or affect system performance, helping organizations scale automation without compromising oversight in mission-critical environments.

****Platform Foundations Supporting Governed Automation & Velocity****

Beyond AI-specific enhancements, Flowable 2025.2 strengthens its platform foundations to support sustained enterprise adoption. Improvements include broader model validation across design environments, expanded legacy IT system integration options through Apache Camel, enhanced CI and CD workflows, and extended service-level agreement modeling.

These updates reduce operational surprises by ensuring new automation capabilities work with existing systems, governance standards, and performance goals. They connect automation performance directly to business outcomes, including full-cycle timing and service quality. This supports what Flowable describes as governed automation with velocity, the ability to innovate quickly while maintaining operational control.

More information about Flowable 2025.2 here.

**_**About Flowable**_**

Flowable provides an enterprise control panel for agentic automation that ensures centralized governance, agility, and control to un-silo processes and automate work that is connected across systems, departments, and tools. The company supports enterprises worldwide with solutions for workflow orchestration, decision automation, and governed AI-driven process optimization.

**_**Media Contact**_**

_Ben Zimdahl_  
_Marketing Content Manager_  
_\[email protected\]_  
_+41 31 329 09 00_  
_Website:_ _flowable.com_

Flowable 2025.2 Brings Governed Multi-Agent AI Orchestration to Enterprises

Researchers at Silent Push have exposed a global Magecart campaign stealing credit card data since 2022. Learn how this invisible web-skimming attack targets major networks like Mastercard and Amex, and how to stay safe.

If you’ve recently used a credit card to shop online, you may have been the target of a massive, hidden cyberattack. Security researchers at Silent Push have identified an extensive network of malicious domains dedicated to Magecart, a term used to describe a specific type of online credit card theft and the various groups that carry it out.

In a report shared with Hackread.com, the team revealed that this specific campaign has been operating secretly since at least January 2022, and the scope of the attack is disturbingly wide, targeting customers using nearly every major payment network, including Mastercard, American Express, Discover, Diners Club, JCB, and UnionPay.

****A Trap Hidden in Plain Sight****

What makes this network so dangerous is its ability to blend in. The attackers host their scripts on domains that sound harmless. Such as a particular site cdn-cookie.com was found on servers belonging to PQ.Hosting (aka Stark Industries), a company currently facing European sanctions.

According to Silent Push researchers, the code is smart enough to hide from the people who actually run the stores. If the script detects a WordPress Admin Bar, which is the toolbar that appears when a site owner is logged in, it instantly deletes itself to avoid being caught.

“This is done to evade the prying eyes of website administrators, increasing the chance of the malware’s survival,” researchers noted in the blog post published on 13 January, 2026.

Researchers found a compromised site colunexshop(.)com with a malicious file callout on its checkout page (Source: Silent Push)

****The Double-Entry Trick****

The core of this scam is based on psychological deception. When a regular shopper goes to pay, the malware hides the real payment box and replaces it with a fake one that looks identical. It even recognises which card you are using, such as if you type a Mastercard number, a small Mastercard logo pops up to make the form look official.

Once you click ‘Place Order,’ the hackers grab your name, address, and card digits. To keep you from getting suspicious, the script quickly brings back the real payment form and shows an error message. Most people assume they just made a typo, re-enter their info into the real form, and the sale goes through. As we know it, you get your package, but the thieves already have your data.

Attack process (Source: Silent Push)

****How to Protect Yourself****

It is worth noting that because this happens inside your own web browser, it is nearly impossible for a normal user to see. However, there are small red flags, like if a site suddenly asks you to re-enter your payment info after an odd error, or if the form looks slightly different the second time, it could be a sign of a skimmer.

Silent Push suggests that store owners must stay one step ahead by strictly controlling what scripts are allowed to run on their pages. For the rest of us, keeping a close eye on bank statements remains the best defence against these invisible skimmers.

Widespread Magecart Campaign Targets Users of All Major Credit Cards

Telegram mods spread a powerful Android backdoor as banking trojans surge and Joker malware resurfaces on Google Play in Q4 2025, says Doctor Web.

A modified version of Telegram X has been used to infect tens of thousands of Android devices with a sophisticated backdoor, according to the latest Q4 2025 mobile malware report by Doctor Web.

The malware, labeled Android.Backdoor.Baohuo.1.origin, was hidden inside unofficial builds of the popular messaging app and distributed through third-party app catalogs and suspicious websites.

Once installed, the malware grants attackers the ability to control the victim’s Telegram account, effectively allowing them to act as if they were the user themselves. That includes joining or leaving channels, hiding new logins from account history, and even hiding specific messages. The goal appears to be long-term control without alerting the user.

Doctor Web reported that around 58,000 devices had been infected, affecting roughly 3,000 different models. However, the infection wasn’t limited to smartphones; Android-powered tablets, smart TVs, TV box sets, and even in-car systems were also affected. This wide reach shows how attackers are targeting any Android system that can install APKs outside the Play Store.

****Other Android Malware Activity You Should Know About****

Doctor Web’s report also noted a spike in banking trojans, particularly those in the Android.Banker family. These threats increased by over 65%, targeting users with fake banking interfaces and intercepting SMS codes. Meanwhile, adware like MobiDash and HiddenAds declined, but modules like AdPush still topped detection charts.

Additionally, the notorious Joker malware and FakeApp trojan showed up again on Google Play, reaching more than 263,000 installs before being taken down. These apps subscribed users to paid services or pushed them toward scam websites.

****Telegram and Malware Apps****

The fact that this malware was embedded into a widely used messaging app is not surprising, since it has happened several times in the past. Telegram’s popularity, especially in regions where alternative app stores are more commonly used, makes it a prime target for tampered versions. Users often look for modified builds promising added features or fewer restrictions, which opens the door to these kinds of threats.

If you’re using unofficial versions of Telegram or other apps from third-party stores, delete them immediately and change the passwords for your email, social media accounts, crypto wallets, and the PIN codes for your banking and card apps.

A horizontal bar chart comparing the most common Android malware detected in Q3 and Q4 of 2025, based on data from Dr.Web Security Space for mobile devices. Each malware variant is listed on the vertical axis, while the detection rate, expressed as a percentage, is shown on the horizontal axis.

Doctor Web’s full review of Q4 2025, including technical details and indicators of compromise, is available here.

(Photo by Mika Baumeister on Unsplash)

Q4 2025 Malware Trends: Telegram Backdoor, Banking Trojans Surge, Joker Returns to Google Play

Menlo Park, USA, 13th January 2026, CyberNewsWire

**Menlo Park, USA, January 13th, 2026, CyberNewsWire**

AccuKnox has entered into a partnership with Hexaware Technologies to expand its Zero Trust cloud security platform into enterprise accounts managing hybrid and multi-cloud infrastructure.

With rising complexity across hybrid, multi-cloud, and agentic-AI environments, organizations are prioritizing robust cloud security infrastructure that can scale. 

The AccuKnox and Hexaware partnership aims to address this demand by combining AccuKnox’s industry-leading CNAPP, CSPM, Kubernetes Security (KSPM), and Runtime Zero-Trust Enforcement capabilities with Hexaware’s deep enterprise delivery, cloud solutions, app engineering, managed security services portfolio, and global client reach.

Effective immediately, the two companies will support clients in industries such as financial services, telecom, and healthcare sectors that demand continuous protection due to their scale, regulatory complexity, and persistent exposure to targeted cyber threats.

**Strategic Partnership Goals**

1.  Strengthen cloud and Kubernetes security across regulated sectors, including BFSI, healthcare, and government.
2.  Enable seamless deployment models across cloud, on-prem, hybrid, and fully air-gapped environments.
3.  Jointly provide packaged solution offerings, pursue co-innovation, and enable cybersecurity awareness programs.

> “Organizations are looking for security that matches the pace and complexity of modern cloud environments. Partnering with Hexaware allows us to support customers with scalable delivery, strong security engineering discipline, and deep enterprise experience.” – **Nat Natraj, CEO of AccuKnox.**

> “Hexaware commands a strong presence in industries where operational continuity and compliance are essential. Their commitment to advanced security and automation firmly establishes them as a key player in our partner ecosystem.” – **Raj Panchapakesan, Global Head of Business Development & Partner Ecosystem at AccuKnox.**

> “Our global clients run mission-critical workloads in the cloud, and we see firsthand the security needs that come with speed, scale, and complexity. Our partnership with AccuKnox reflects our commitment to helping clients protect their cloud apps and infrastructure through a unified CNAPP approach – bringing posture, runtime protection, and identity-aware security together. This capability directly complements our AI-led automation and zero-trust approach for cybersecurity.” – **Mohit Vaish, Global Head – Cybersecurity at Hexaware Technologies.**

**About AccuKnox**

AccuKnox provides cloud and workload security grounded in Zero Trust principles, offering capabilities for posture management, runtime protection, network segmentation, and compliance enforcement. Built on open-source foundations and scalable deployment models, AccuKnox supports customers operating in cloud, hybrid, and air-gapped environments.

Users can learn more at AccuKnox

**About Hexaware**

Hexaware Technologies is a global technology and cybersecurity services provider helping enterprises modernize securely across cloud, data, and application landscapes. With teams operating worldwide, Hexaware delivers transformation programs and continuous security operations for large-scale organizations.

Users can learn more at Hexaware

**Contact**

**PMM**  
**Syed Hadi**  
**AccuKnox**  
**\[email protected\]**

Hexaware Partners with AccuKnox for Cloud Security Services

New research from Recorded Future reveals how Russian state hackers (BlueDelta) are using fake Microsoft and Google login portals to steal credentials. The campaign involves using legitimate PDF lures from GRC and EcoClimate to trick victims.

Recent findings from the research firm Recorded Future’s Insikt Group reveal that it only takes two seconds of distraction for a professional’s private data to fall into the wrong hands.

According to Recorded Future’s latest blog post, a Russian state-sponsored hacking group, known as BlueDelta (or Fancy Bear), has been carrying out sneaky campaigns to steal login information from professionals worldwide.

Reportedly, betweet Feburary and September 2025, BlueDelta targeted individuals is specialised frields like energy and nuclear research, particularly in Türkiye and Europe. Researchers observed that the campaign’s objective seems to be credentials harvesting.

****How the Scams Work****

Researchers noted that the hackers are becoming much more convincing because, instead of using obvious fake links, they show the victim a real document first. For example, a target may receive a link that opens a legitimate-looking PDF about climate change or international politics, such as a report from the Gulf Research Centre (GRC) regarding Israel and Iran.

Authentic GRC PDF lure (Source: Recorded Future)

Another such lure was a report from the EcoClimate Foundation titled “Climate Action as a Strategic Priority,” which specifically targeted scientists working on renewable energy. While the victim is distracted by these documents, the website is actually working in the background. After just two seconds, the page automatically switches to a fake login screen.

Further investigation revealed that these fake pages were designed to look like:

*   Google: Using Portuguese-language pages to trick users.
*   Sophos VPN: Aimed at staff within a European think tank.
*   Microsoft Outlook (OWA): Specifically targeting military staff in North Macedonia and IT experts in Uzbekistan.

****Simple but Effective Tactics****

It is worth noting that BlueDelta doesn’t use expensive equipment for these attacks; they rely on free internet services like Webhook.site, ngrok, and InfinityFree. According to researchers, this makes the attacks a “low-cost, high-yield” way to steal data because when a victim enters their details, the hackers’ code automatically saves the info and then sends the user back to the real website.

Attack process (Source: Recorded Future)

“The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility,” the blog post reads. By the time the victim is redirected to the real login page, their credentials have already been stolen. 

This activity represents a major expansion of BlueDelta’s operations, showing their commitment to collecting information from government and research networks. 

That’s why, experts urge you to always check links for suspicious addresses like webhook.site, and never trust login prompts that appear suddenly while reading a PDF. It also helps to ensure you have multi-factor authentication active on all professional accounts to stay protected.

(Photo by KOBU Agency on Unsplash)

Russian BlueDelta (Fancy Bear) Uses PDFs to Steal Logins in Just 2 Seconds

Secure container images are now essential for modern apps. These five options help teams reduce risk, cut patching effort, and improve long-term security.

Modern applications are built on containers, but their security posture is largely inherited from them. Long before application code runs, choices made at the container image level determine which vulnerabilities are embedded, which risks remain undetected, and how much remediation work is required with every release.

By 2026, secure container images will no longer be a niche concern. They are a prerequisite for maintaining velocity without accumulating unmanageable security debt. Teams are increasingly selective about what they inherit, how images are maintained, and whether vulnerabilities are prevented or merely detected.

****At a Glance: The 7 Best Container Image Security Tools for 2026****

1.  **Echo** – Rebuilds base images to remove CVEs before they enter the supply chain  
    
2.  **Sysdig** – Helps teams decide which image vulnerabilities actually matter in production  
    
3.  **Aqua Security** – Enforces image security standards across CI/CD pipelines at scale  
    
4.  **JFrog Xray** – Exposes vulnerable components and dependency risk inside container images  
    
5.  **Palo Alto Prisma Cloud** – Centralizes policy and compliance controls for container images  
    
6.  **Orca Security** – Prioritizes image risk based on cloud exposure, not raw CVE counts  
    
7.  **ARMO** – Links image vulnerabilities to Kubernetes posture and misconfigurations

****What Makes a Container Image “Secure” in 2026****

Security at the image level is no longer defined solely by scan results. Most modern images will _pass_ a scan at some point. The real differentiator is how quickly risk returns, and how much effort is required to keep it under control.

A secure container image in 2026 typically demonstrates four characteristics:

*   Minimal inherited attack surface
*   Clear ownership and maintenance model
*   Predictable lifecycle and update cadence
*   Low reintroduction of known vulnerabilities over time

Images that fail on these dimensions tend to look secure briefly, then degrade rapidly as new CVEs emerge.

****The Best Secure Container Images for Modern Applications********1\. Echo****

Echo represents a shift from _hardening_ images to preventing vulnerabilities from entering them at all. Echo is best suited for organizations that want to reduce long-term security effort, not just improve visibility.

Rather than starting with a general-purpose distribution and patching it, Echo rebuilds container base images from scratch – removing unnecessary components, while maintaining full functionality. The resulting images are delivered as CVE-free drop-in replacements for common base images and runtimes.

What makes Echo particularly effective for modern applications is not just the clean starting point, but continuous maintenance. Autonomous systems monitor new vulnerability disclosures, apply fixes, and reissue images before CVEs accumulate downstream.

****Benefits:****

*   Images start with zero known CVEs
*   Vulnerabilities are prevented, not managed
*   Compatible with existing CI/CD workflows
*   Security posture does not degrade between releases

****2\. Google Distroless****

Google Distroless images are designed around a simple idea: if something is not required to run the application, it should not be in the image.

By removing shells, package managers, and debugging utilities, Distroless drastically reduces the attack surface. This makes it a strong choice for production workloads where immutability and predictability matter more than convenience.

Distroless images enforce discipline. Debugging must occur externally, and build pipelines must be well-defined. For teams that have reached this level of maturity, the security benefits are substantial.

****Benefits:****

*   Minimal runtime exposure
*   Strong alignment with zero-trust principles
*   Reduced exploit paths

****3\. Alpine Linux****

Alpine Linux remains one of the most widely used minimal base images. Its small footprint reduces image size and limits default package inclusion, which helps control the attack surface.

However, Alpine’s fast release cadence and reliance on musl libc introduce frequent vulnerability disclosures and occasional compatibility challenges. While patches are typically released quickly, the maintenance burden is higher than many teams expect.

Alpine is secure by _reduction_, not by prevention.

****Benefits:****

*   Performance-sensitive workloads
*   Teams are comfortable with frequent rebuilds
*   Environments where size matters more than stability

****4\. Ubuntu Container Images****

Ubuntu Container Images prioritize stability, predictability, and ecosystem compatibility. Maintained by Canonical, they offer long-term support releases and a familiar operating model.

Security in Ubuntu images comes from responsiveness, not minimalism. Vulnerabilities are patched quickly, but the images include a broad set of packages by default, which increases inherited risk.

Ubuntu images are often chosen when development velocity and compatibility outweigh aggressive hardening.

****Benefits:****

*   Teams standardizing on Ubuntu across environments
*   Long-lived applications
*   Broad third-party dependency requirements

****5\. Red Hat Universal Base Images****

Red Hat Universal Base Images (UBI) are commonly used in enterprise environments that require formal support models and certified distributions, particularly where compliance requirements influence base image selection.

UBI images trade minimalism for governance. They integrate tightly with Red Hat’s ecosystem and offer predictable lifecycle management, which is essential in regulated industries.

From a security perspective, UBI emphasizes control and auditability rather than vulnerability elimination.

****Benefits:****

*   Regulated industries
*   Compliance-driven environments
*   Organizations standardizing on Red Hat

****Why Secure Images Matter More Than Secure Code****

Application teams can patch code quickly. Images are different.

Base images are often:

*   Rebuilt infrequently
*   Shared across many services
*   Trusted implicitly once approved
*   Maintained by platform teams rather than app teams

This makes the image layer one of the most effective places to either eliminate risk or unknowingly multiply it.

Organizations that invest in secure image foundations consistently report fewer emergency rebuilds, fewer security exceptions, and smoother compliance reviews.

****How Teams Choose Secure Images in Practice****

Most organizations do not select secure images solely based on scan scores. The decision usually comes down to:

*   Whether vulnerabilities accumulate over time
*   Who is responsible for maintaining the image
*   How well the image aligns with existing workflows
*   How much ongoing remediation work does the image creates

Images that reduce long-term effort tend to outperform those that simply look secure at a single point in time.

The most effective teams choose image foundations that minimize inherited risk, clarify ownership, and reduce recurring security work. In that context, secure images are no longer a tactical choice; they are a strategic one.

Source

HackRead